296 lines
7.8 KiB
YAML
296 lines
7.8 KiB
YAML
---
|
|
|
|
- name: Install OpenVPN
|
|
apt:
|
|
name: openvpn
|
|
|
|
- name: Delete unwanted OpenVPN folders
|
|
file:
|
|
state: absent
|
|
dest: "/etc/openvpn/{{ item }}"
|
|
with_items:
|
|
- client
|
|
- server
|
|
|
|
- name: Create the _openvpn user
|
|
user:
|
|
name: _openvpn
|
|
system: yes
|
|
create_home: no
|
|
home: "/nonexistent"
|
|
shell: "/usr/sbin/nologin"
|
|
|
|
- name: Create the shellpki user
|
|
user:
|
|
name: shellpki
|
|
system: yes
|
|
create_home: no
|
|
home: "/etc/shellpki"
|
|
shell: "/usr/sbin/nologin"
|
|
|
|
- name: Create /etc/shellpki
|
|
file:
|
|
dest: "/etc/shellpki"
|
|
mode: "0755"
|
|
owner: shellpki
|
|
group: shellpki
|
|
state: directory
|
|
|
|
- include_role:
|
|
name: evolix/remount-usr
|
|
|
|
- name: Copy shellpki files
|
|
copy:
|
|
src: "shellpki/{{ item.source }}"
|
|
dest: "{{ item.destination }}"
|
|
mode: "{{ item.mode }}"
|
|
owner: "{{ item.owner }}"
|
|
group: "{{ item.group }}"
|
|
with_items:
|
|
- { source: "openssl.cnf", destination: "/etc/shellpki/openssl.cnf", mode: "0640", owner: "shellpki", group: "shellpki" }
|
|
- { source: "shellpki", destination: "/usr/local/sbin/shellpki", mode: "0750", owner: "root", group: "root" }
|
|
|
|
- name: Add sudo rights
|
|
lineinfile:
|
|
dest: "/etc/sudoers.d/shellpki"
|
|
regexp: '/usr/local/sbin/shellpki'
|
|
line: "%shellpki ALL = (root) /usr/local/sbin/shellpki"
|
|
create: yes
|
|
mode: "0400"
|
|
owner: root
|
|
group: root
|
|
validate: 'visudo -cf %s'
|
|
|
|
- name: Deploy OpenVPN client config template
|
|
template:
|
|
src: "ovpn.conf.j2"
|
|
dest: "/etc/shellpki/ovpn.conf"
|
|
mode: "0600"
|
|
owner: shellpki
|
|
group: shellpki
|
|
|
|
- name: Generate dhparam
|
|
openssl_dhparam:
|
|
path: /etc/shellpki/dh2048.pem
|
|
size: 2048
|
|
|
|
- include_role:
|
|
name: evolix/remount-usr
|
|
|
|
- name: Deploy OpenVPN server config
|
|
template:
|
|
src: "server.conf.j2"
|
|
dest: "/etc/openvpn/server.conf"
|
|
mode: "0600"
|
|
owner: root
|
|
group: root
|
|
|
|
- name: Is minifirewall installed ?
|
|
stat:
|
|
path: "/etc/default/minifirewall"
|
|
check_mode: no
|
|
changed_when: false
|
|
register: minifirewall_config
|
|
|
|
- name: Retrieve the default interface
|
|
shell: "grep '^INT=' /etc/default/minifirewall | cut -d\\' -f 2"
|
|
check_mode: no
|
|
changed_when: false
|
|
register: minifirewall_int
|
|
when: minifirewall_config.stat.exists
|
|
|
|
- name: Add minifirewall rule in config file
|
|
lineinfile:
|
|
dest: "/etc/default/minifirewall"
|
|
line: "{{ item }}"
|
|
with_items:
|
|
- "# OpenVPN"
|
|
- "/sbin/iptables -t nat -A POSTROUTING -s {{ openvpn_lan }}/{{ openvpn_netmask_cidr }} -o $INT -j MASQUERADE"
|
|
when: minifirewall_config.stat.exists
|
|
|
|
- name: Activate minifirewall rule
|
|
iptables:
|
|
table: nat
|
|
chain: POSTROUTING
|
|
source: "{{ openvpn_lan }}/{{ openvpn_netmask_cidr }}"
|
|
out_interface: "{{ minifirewall_int.stdout }}"
|
|
jump: MASQUERADE
|
|
when: minifirewall_config.stat.exists
|
|
|
|
- name: Add 1194/udp OpenVPN port to public services in minifirewall
|
|
replace:
|
|
dest: "/etc/default/minifirewall"
|
|
regexp: "^SERVICESUDP1='(.*)?'$"
|
|
replace: "SERVICESUDP1='\\1 1194'"
|
|
backup: yes
|
|
when: minifirewall_config.stat.exists
|
|
|
|
- name: Activate minifirewall rule for IPv4
|
|
iptables:
|
|
chain: INPUT
|
|
protocol: udp
|
|
destination_port: "1194"
|
|
jump: ACCEPT
|
|
ip_version: ipv4
|
|
when: minifirewall_config.stat.exists
|
|
|
|
- name: Activate minifirewall rule for IPv6
|
|
iptables:
|
|
chain: INPUT
|
|
protocol: udp
|
|
destination_port: "1194"
|
|
jump: ACCEPT
|
|
ip_version: ipv6
|
|
when: minifirewall_config.stat.exists
|
|
|
|
- name: Enable forwarding
|
|
sysctl:
|
|
name: net.ipv4.ip_forward
|
|
value: "1"
|
|
sysctl_file: "/etc/sysctl.d/openvpn.conf"
|
|
|
|
- name: Configure logrotate for OpenVPN
|
|
copy:
|
|
src: logrotate_openvpn
|
|
dest: /etc/logrotate.d/openvpn
|
|
force: no
|
|
|
|
- name: Generate a password for the management interface
|
|
set_fact:
|
|
management_pwd: "{{ lookup('password', '/dev/null length=15 chars=ascii_letters,digits') }}"
|
|
|
|
- name: Set the management password
|
|
copy:
|
|
dest: "/etc/openvpn/management-pwd"
|
|
content: "{{ management_pwd }}"
|
|
mode: "0600"
|
|
owner: root
|
|
group: root
|
|
|
|
- name: Enable openvpn service
|
|
systemd:
|
|
name: "openvpn@server.service"
|
|
enabled: yes
|
|
|
|
- name: Is NRPE installed ?
|
|
stat:
|
|
path: "/etc/nagios/nrpe.d/evolix.cfg"
|
|
check_mode: no
|
|
changed_when: false
|
|
register: nrpe_evolix_config
|
|
|
|
- name: Install NRPE check dependencies
|
|
apt:
|
|
name: libnet-telnet-perl
|
|
when: nrpe_evolix_config.stat.exists
|
|
|
|
- include_role:
|
|
name: evolix/remount-usr
|
|
|
|
- name: Install OpenVPN NRPE check
|
|
copy:
|
|
src: "files/check_openvpn_debian.pl"
|
|
dest: "/usr/local/lib/nagios/plugins/check_openvpn"
|
|
mode: "0755"
|
|
owner: root
|
|
group: nagios
|
|
when: nrpe_evolix_config.stat.exists
|
|
|
|
- name: Configure NRPE OpenVPN check
|
|
lineinfile:
|
|
dest: "/etc/nagios/nrpe.d/evolix.cfg"
|
|
regexp: '^command\[check_openvpn\]='
|
|
line: "command[check_openvpn]=/usr/local/lib/nagios/plugins/check_openvpn -H 127.0.0.1 -p 1195 -P {{ management_pwd }}"
|
|
notify: restart nagios-nrpe-server
|
|
when: nrpe_evolix_config.stat.exists
|
|
|
|
- include_role:
|
|
name: evolix/remount-usr
|
|
|
|
- name: Install OpenVPN certificates NRPE check
|
|
copy:
|
|
src: "files/check_openvpn_certificates.sh"
|
|
dest: "/usr/local/lib/nagios/plugins/check_openvpn_certificates.sh"
|
|
mode: "0755"
|
|
owner: root
|
|
group: nagios
|
|
when: nrpe_evolix_config.stat.exists
|
|
|
|
- name: Add sudo rights for NRPE check
|
|
lineinfile:
|
|
dest: "/etc/sudoers.d/openvpn"
|
|
regexp: 'check_openvpn_certificates.sh'
|
|
line: "nagios ALL=NOPASSWD: /usr/local/lib/nagios/plugins/check_openvpn_certificates.sh"
|
|
create: yes
|
|
mode: "0400"
|
|
owner: root
|
|
group: root
|
|
validate: 'visudo -cf %s'
|
|
when: nrpe_evolix_config.stat.exists
|
|
|
|
- name: Configure NRPE certificates check
|
|
lineinfile:
|
|
dest: "/etc/nagios/nrpe.d/evolix.cfg"
|
|
regexp: '^command\[check_openvpn_certificates\]='
|
|
line: "command[check_openvpn_certificates]=sudo /usr/local/lib/nagios/plugins/check_openvpn_certificates.sh"
|
|
notify: restart nagios-nrpe-server
|
|
when: nrpe_evolix_config.stat.exists
|
|
|
|
- include_role:
|
|
name: evolix/remount-usr
|
|
|
|
- name: Copy script to check expirations
|
|
copy:
|
|
src: "shellpki/cert-expirations.sh"
|
|
dest: "/usr/share/scripts/cert-expirations.sh"
|
|
mode: "0700"
|
|
owner: root
|
|
group: root
|
|
|
|
- name: Install cron to warn about certificates expiration
|
|
cron:
|
|
name: "OpenVPN certificates expiration"
|
|
special_time: monthly
|
|
job: '/usr/share/scripts/cert-expirations.sh | mail -E -s "PKI OpenVPN {{ ansible_hostname }} : recapitulatif expirations" {{ client_email }}'
|
|
|
|
- name: Generate the CA password
|
|
set_fact:
|
|
ca_pwd: "{{ lookup('password', '/dev/null length=25 chars=ascii_letters,digits') }}"
|
|
check_mode: no
|
|
changed_when: no
|
|
|
|
- name: Initialization of the CA
|
|
shell: 'CA_PASSWORD="{{ ca_pwd }}" shellpki init --non-interactive {{ ansible_fqdn }}'
|
|
|
|
- name: Creation of the server's certificate
|
|
shell: 'CA_PASSWORD="{{ ca_pwd }}" shellpki create --days 3650 --non-interactive {{ ansible_fqdn }}'
|
|
|
|
- name: Get the server key
|
|
shell: 'ls -tr /etc/shellpki/private/ | tail -1'
|
|
register: ca_key
|
|
check_mode: no
|
|
changed_when: no
|
|
|
|
- name: Configure the server key
|
|
replace:
|
|
path: /etc/openvpn/server.conf
|
|
regexp: 'key /etc/shellpki/private/TO_COMPLETE'
|
|
replace: 'key /etc/shellpki/private/{{ ca_key.stdout }}'
|
|
|
|
- name: Restart OpenVPN
|
|
systemd:
|
|
name: "openvpn@server.service"
|
|
state: restarted
|
|
|
|
- name: Warn the user about manual checks
|
|
pause:
|
|
prompt: |
|
|
/!\ WARNING /!\
|
|
You must check and adjust if necessary the configuration file "/etc/openvpn/server.conf", and then restart the OpenVPN service with "systemctl restart openvpn@server.service".
|
|
The "push" parameter may be needed to push a route to the client, so that the client can access that route through OpenVPN.
|
|
|
|
Take note of the generated CA password and store it in your password manager : {{ ca_pwd }}
|
|
|
|
Press enter to exit when it's done.
|
|
|